Fix ConstructorConstructor creating mismatching Collection and Map instances

gson/src/main/java/com/google/gson/Gson.java

@@ -1106,8 +1106,7 @@ public JsonReader newJsonReader(Reader reader) {
    * @see #fromJson(String, TypeToken)
    */
   public <T> T fromJson(String json, Class<T> classOfT) throws JsonSyntaxException {
-    T object = fromJson(json, TypeToken.get(classOfT));
-    return Primitives.wrap(classOfT).cast(object);
+    return fromJson(json, TypeToken.get(classOfT));
   }
 
   /**
@@ -1198,8 +1197,7 @@ public <T> T fromJson(String json, TypeToken<T> typeOfT) throws JsonSyntaxExcept
    */
   public <T> T fromJson(Reader json, Class<T> classOfT)
       throws JsonSyntaxException, JsonIOException {
-    T object = fromJson(json, TypeToken.get(classOfT));
-    return Primitives.wrap(classOfT).cast(object);
+    return fromJson(json, TypeToken.get(classOfT));
   }
 
   /**
@@ -1360,7 +1358,19 @@ public <T> T fromJson(JsonReader reader, TypeToken<T> typeOfT)
       JsonToken unused = reader.peek();
       isEmpty = false;
       TypeAdapter<T> typeAdapter = getAdapter(typeOfT);
-      return typeAdapter.read(reader);
+      T object = typeAdapter.read(reader);
+      Class<?> expectedTypeWrapped = Primitives.wrap(typeOfT.getRawType());
+      if (object != null && !expectedTypeWrapped.isInstance(object)) {
+        throw new ClassCastException(
+            "Type adapter '"
+                + typeAdapter
+                + "' returned wrong type; requested "
+                + typeOfT.getRawType()
+                + " but got instance of "
+                + object.getClass()
+                + "\nVerify that the adapter was registed for the correct type.");
+      }
+      return object;
     } catch (EOFException e) {
       /*
        * For compatibility with JSON 1.5 and earlier, we return null for empty
@@ -1405,8 +1415,7 @@ public <T> T fromJson(JsonReader reader, TypeToken<T> typeOfT)
    * @see #fromJson(JsonElement, TypeToken)
    */
   public <T> T fromJson(JsonElement json, Class<T> classOfT) throws JsonSyntaxException {
-    T object = fromJson(json, TypeToken.get(classOfT));
-    return Primitives.wrap(classOfT).cast(object);
+    return fromJson(json, TypeToken.get(classOfT));
   }
 
   /**

gson/src/main/java/com/google/gson/internal/ConstructorConstructor.java

@@ -36,15 +36,9 @@
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Queue;
-import java.util.Set;
-import java.util.SortedMap;
-import java.util.SortedSet;
 import java.util.TreeMap;
 import java.util.TreeSet;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
-import java.util.concurrent.ConcurrentNavigableMap;
 import java.util.concurrent.ConcurrentSkipListMap;
 
 /** Returns a function that can construct an instance of a requested type. */
@@ -321,7 +315,6 @@ public T construct() {
   }
 
   /** Constructors for common interface types like Map and List and their subtypes. */
-  @SuppressWarnings("unchecked") // use runtime checks to guarantee that 'T' is what it is
   private static <T> ObjectConstructor<T> newDefaultImplementationConstructor(
       final Type type, Class<? super T> rawType) {
 
@@ -334,78 +327,136 @@ private static <T> ObjectConstructor<T> newDefaultImplementationConstructor(
      */
 
     if (Collection.class.isAssignableFrom(rawType)) {
-      if (SortedSet.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new TreeSet<>();
-          }
-        };
-      } else if (Set.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new LinkedHashSet<>();
-          }
-        };
-      } else if (Queue.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new ArrayDeque<>();
-          }
-        };
-      } else {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new ArrayList<>();
-          }
-        };
-      }
+      @SuppressWarnings("unchecked")
+      ObjectConstructor<T> constructor = (ObjectConstructor<T>) newCollectionConstructor(rawType);
+      return constructor;
     }
 
     if (Map.class.isAssignableFrom(rawType)) {
-      if (ConcurrentNavigableMap.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new ConcurrentSkipListMap<>();
-          }
-        };
-      } else if (ConcurrentMap.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new ConcurrentHashMap<>();
-          }
-        };
-      } else if (SortedMap.class.isAssignableFrom(rawType)) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new TreeMap<>();
-          }
-        };
-      } else if (type instanceof ParameterizedType
-          && !String.class.isAssignableFrom(
-              TypeToken.get(((ParameterizedType) type).getActualTypeArguments()[0]).getRawType())) {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new LinkedHashMap<>();
-          }
-        };
-      } else {
-        return new ObjectConstructor<T>() {
-          @Override
-          public T construct() {
-            return (T) new LinkedTreeMap<>();
-          }
-        };
-      }
+      @SuppressWarnings("unchecked")
+      ObjectConstructor<T> constructor = (ObjectConstructor<T>) newMapConstructor(type, rawType);
+      return constructor;
+    }
+
+    // Unsupported type; try other means of creating constructor
+    return null;
+  }
+
+  // Suppress Error Prone false positive: Pattern is reported for overridden methods, see
+  // https://github.com/google/error-prone/issues/4563
+  @SuppressWarnings("NonApiType")
+  private static ObjectConstructor<? extends Collection<? extends Object>> newCollectionConstructor(
+      Class<?> rawType) {
+
+    // First try List implementation
+    if (rawType.isAssignableFrom(ArrayList.class)) {
+      return new ObjectConstructor<ArrayList<Object>>() {
+        @Override
+        public ArrayList<Object> construct() {
+          return new ArrayList<>();
+        }
+      };
+    }
+    // Then try Set implementation
+    else if (rawType.isAssignableFrom(LinkedHashSet.class)) {
+      return new ObjectConstructor<LinkedHashSet<Object>>() {
+        @Override
+        public LinkedHashSet<Object> construct() {
+          return new LinkedHashSet<>();
+        }
+      };
+    }
+    // Then try SortedSet / NavigableSet implementation
+    else if (rawType.isAssignableFrom(TreeSet.class)) {
+      return new ObjectConstructor<TreeSet<Object>>() {
+        @Override
+        public TreeSet<Object> construct() {
+          return new TreeSet<>();
+        }
+      };
+    }
+    // Then try Queue implementation
+    else if (rawType.isAssignableFrom(ArrayDeque.class)) {
+      return new ObjectConstructor<ArrayDeque<Object>>() {
+        @Override
+        public ArrayDeque<Object> construct() {
+          return new ArrayDeque<>();
+        }
+      };
+    }
+
+    // Was unable to create matching Collection constructor
+    return null;
+  }
+
+  private static boolean hasStringKeyType(Type mapType) {
+    // If mapType is not parameterized, assume it might have String as key type
+    if (!(mapType instanceof ParameterizedType)) {
+      return true;
+    }
+
+    Type[] typeArguments = ((ParameterizedType) mapType).getActualTypeArguments();
+    if (typeArguments.length == 0) {
+      return false;
+    }
+    // Consider String and supertypes of it
+    return TypeToken.get(typeArguments[0]).getRawType().isAssignableFrom(String.class);
+  }
+
+  // Suppress Error Prone false positive: Pattern is reported for overridden methods, see
+  // https://github.com/google/error-prone/issues/4563
+  @SuppressWarnings("NonApiType")
+  private static ObjectConstructor<? extends Map<? extends Object, Object>> newMapConstructor(
+      final Type type, Class<?> rawType) {
+    // First try Map implementation
+    /*
+     * Legacy special casing for Map<String, ...> to avoid DoS from colliding String hashCode
+     * values for older JDKs; use own LinkedTreeMap<String, Object> instead
+     */
+    if (rawType.isAssignableFrom(LinkedTreeMap.class) && hasStringKeyType(type)) {
+      return new ObjectConstructor<LinkedTreeMap<Object, Object>>() {
+        @Override
+        public LinkedTreeMap<Object, Object> construct() {
+          return new LinkedTreeMap<>();
+        }
+      };
+    } else if (rawType.isAssignableFrom(LinkedHashMap.class)) {
+      return new ObjectConstructor<LinkedHashMap<Object, Object>>() {
+        @Override
+        public LinkedHashMap<Object, Object> construct() {
+          return new LinkedHashMap<>();
+        }
+      };
+    }
+    // Then try SortedMap / NavigableMap implementation
+    else if (rawType.isAssignableFrom(TreeMap.class)) {
+      return new ObjectConstructor<TreeMap<Object, Object>>() {
+        @Override
+        public TreeMap<Object, Object> construct() {
+          return new TreeMap<>();
+        }
+      };
+    }
+    // Then try ConcurrentMap implementation
+    else if (rawType.isAssignableFrom(ConcurrentHashMap.class)) {
+      return new ObjectConstructor<ConcurrentHashMap<Object, Object>>() {
+        @Override
+        public ConcurrentHashMap<Object, Object> construct() {
+          return new ConcurrentHashMap<>();
+        }
+      };
+    }
+    // Then try ConcurrentNavigableMap implementation
+    else if (rawType.isAssignableFrom(ConcurrentSkipListMap.class)) {
+      return new ObjectConstructor<ConcurrentSkipListMap<Object, Object>>() {
+        @Override
+        public ConcurrentSkipListMap<Object, Object> construct() {
+          return new ConcurrentSkipListMap<>();
+        }
+      };
     }
 
+    // Was unable to create matching Map constructor
     return null;
   }
 

gson/src/test/java/com/google/gson/GsonTest.java

@@ -142,6 +142,61 @@ public Object read(JsonReader in) {
     }
   }
 
+  @Test
+  public void testFromJson_WrongResultType() {
+    class IntegerAdapter extends TypeAdapter<Integer> {
+      @Override
+      public Integer read(JsonReader in) throws IOException {
+        in.skipValue();
+        return 3;
+      }
+
+      @Override
+      public void write(JsonWriter out, Integer value) {
+        throw new AssertionError("not needed for test");
+      }
+
+      @Override
+      public String toString() {
+        return "custom-adapter";
+      }
+    }
+
+    Gson gson = new GsonBuilder().registerTypeAdapter(Boolean.class, new IntegerAdapter()).create();
+    // Use `Class<?>` here to avoid that the JVM itself creates the ClassCastException (though the
+    // check below for the custom message would detect that as well)
+    Class<?> deserializedClass = Boolean.class;
+    var exception =
+        assertThrows(ClassCastException.class, () -> gson.fromJson("true", deserializedClass));
+    assertThat(exception)
+        .hasMessageThat()
+        .isEqualTo(
+            "Type adapter 'custom-adapter' returned wrong type; requested class java.lang.Boolean"
+                + " but got instance of class java.lang.Integer\n"
+                + "Verify that the adapter was registed for the correct type.");
+
+    // Returning boxed object should be allowed (e.g. returning `Integer` for `int`)
+    Gson gson2 = new GsonBuilder().registerTypeAdapter(int.class, new IntegerAdapter()).create();
+    assertThat(gson2.fromJson("0", int.class)).isEqualTo(3);
+
+    class NullAdapter extends TypeAdapter<Object> {
+      @Override
+      public Object read(JsonReader in) throws IOException {
+        in.skipValue();
+        return null;
+      }
+
+      @Override
+      public void write(JsonWriter out, Object value) {
+        throw new AssertionError("not needed for test");
+      }
+    }
+
+    // Returning `null` should be allowed
+    Gson gson3 = new GsonBuilder().registerTypeAdapter(Boolean.class, new NullAdapter()).create();
+    assertThat(gson3.fromJson("true", Boolean.class)).isNull();
+  }
+
   @Test
   public void testGetAdapter_Null() {
     Gson gson = new Gson();